<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenSSH Security</title>
<link rev="made" href="mailto:www@openbsd.org">
<meta name="resource-type" content="document">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="OpenSSH advisories">
<meta name="keywords" content="security,openssh,main">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1999-2005 by OpenBSD.">
</head>

<body bgcolor="#ffffff" text="#000000" link="#23238e">
<a href="index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<p>
<h2><font color="#e00000">Security</font></h2>
<hr>

OpenSSH is developed with the same rigorous security process that the
OpenBSD group is famous for. If you wish to report a security issue in
OpenSSH, please contact the private developers list &lt;<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>&gt;.
<p>

For more information, see the
<a href="http://www.openbsd.org/security.html">OpenBSD Security page</a>. 
<p>

<ul>
<li>Portable OpenSSH 5.1 and newer are not vulnerable to the X11UseLocalhost=no hijacking attack 
    on HP/UX (and possibly other systems) described in the
    <a href="http://www.openssh.com/txt/release-5.1">OpenSSH 5.1 release notes</a>.
<p>
<li>OpenSSH 5.0 and newer are not vulnerable to the X11 hijacking attack
    described in
    <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483">CVE-2008-1483</a> and the
    <a href="http://www.openssh.com/txt/release-5.0">OpenSSH 5.0 release notes</a>.
<p>
<li>OpenSSH 4.9 and newer do not execute ~/.ssh/rc for sessions whose command
    has been overridden with a sshd_config(5) <em>ForceCommand</em> directive.
    This was a documented, but unsafe behaviour (described in
    <a href="http://www.openssh.com/txt/release-4.9">OpenSSH 4.9 release notes</a>).
<p>
<li>OpenSSH 4.7 and newer do not fall back to creating trusted X11
    authentication cookies when untrusted cookie generation fails (e.g. due to
    deliberate resource exhaustion), as described in the 
    <a href="http://www.openssh.com/txt/release-4.7">OpenSSH 4.7 release notes</a>.
<p>
<li>OpenSSH 4.5 and newer fix a weakness in the privilege separation monitor
    that could be used to spoof successful authentication (described in the 
    <a href="http://www.openssh.com/txt/release-4.5">OpenSSH 4.5 release notes</a>).
    Note that exploitation of this vulnerability would require an attacker to
    have already subverted the network-facing sshd(8) process, and no
    vulnerabilities permitting this are known.
<p>
<li>OpenSSH 4.4 and newer is not vulnerable to the unsafe signal handler
    vulnerability described in the 
    <a href="http://www.openssh.com/txt/release-4.4">OpenSSH 4.4 release notes</a>.
<p>
<li>OpenSSH 4.4 and newer is not vulnerable to the SSH protocol 1 denial of
    service attack described in the 
    <a href="http://www.openssh.com/txt/release-4.4">OpenSSH 4.4 release notes</a>.
<p>
<li>OpenSSH 4.3 and newer are not vulnerable to shell metacharacter expansion
    in scp(1) local-local and remote-remote copies 
    (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225">CVE-2006-0225</a>), as described in the
    <a href="http://www.openssh.com/txt/release-4.3">OpenSSH 4.3 release notes</a>.
<p>
<li>OpenSSH 4.2 and newer does not allow delegation of GSSAPI credentials
    after authentication using a non-GSSAPI method as described in the
    <a href="http://www.openssh.com/txt/release-4.2">OpenSSH 4.2 release notes</a>.
<p>
<li>OpenSSH 4.2 and newer do not incorrectly activate GatewayPorts for
    dynamic forwardings (bug introduced in OpenSSH 4.0) as described in the
    <a href="http://www.openssh.com/txt/release-4.2">OpenSSH 4.2 release notes</a>.
<p>
<li>Portable OpenSSH 3.7.1p2 and newer are not vulnerable to
    "September 23, 2003: Portable OpenSSH Multiple PAM vulnerabilities",
    <a href="http://www.openssh.com/txt/sshpam.adv">OpenSSH
    Security Advisory</a>. (This issue does not affect OpenBSD versions)
<p>
<li>OpenSSH 3.7.1 and newer are not vulnerable to
    "September 16, 2003: OpenSSH Buffer Management bug",
    <a href="http://www.openssh.com/txt/buffer.adv">OpenSSH
    Security Advisory</a> and CERT Advisory
    <a href="http://www.cert.org/advisories/CA-2003-24.html">CA-2003-24</a>.
<p>
<li>OpenSSH 3.4 and newer are not vulnerable to
    "June 26, 2002: OpenSSH Remote Challenge Vulnerability",
    <a href="http://www.openssh.com/txt/preauth.adv">OpenSSH
    Security Advisory</a>. 
<p>
<li>OpenSSH 3.2.1 and newer are not vulnerable to
    "April 21, 2002: Buffer overflow in AFS/Kerberos token passing code",
    <a href="http://www.openbsd.org/advisories/ssh_afstoken.txt">OpenSSH
    Security Advisory</a>: 
    Versions prior to OpenSSH 3.2.1 allow privileged access if
    AFS/Kerberos token passing is compiled in and enabled (either
    in the system or in sshd_config).
<p>
<li>OpenSSH 3.1 and newer are not vulnerable to
    "March 7, 2002: Off-by-one error in the channel code",
    <a href="http://www.openbsd.org/advisories/ssh_channelalloc.txt">OpenSSH
    Security Advisory</a>.  
<p>
<li>OpenSSH 3.0.2 and newer do not
    allow users to <a href="http://www.kb.cert.org/vuls/id/157447">
    pass environment variables to login(1) if UseLogin is enabled</a>. 
    The UseLogin option is disabled by default in all OpenSSH releases.
<p>
<li>OpenSSH 2.9.9 and newer are not vulnerable to
    "Sep 26, 2001: Weakness in OpenSSH's source IP based access control
    for SSH protocol v2 public key authentication.",
    <a href="http://www.openbsd.org/advisories/ssh_option.txt">OpenSSH
    Security Advisory</a>.  
<p>
<li>OpenSSH 2.9.9 and newer do not
    allow users to <a href="http://www.kb.cert.org/vuls/id/655259">
    delete files named "cookies" if X11 forwarding is enabled</a>. 
    X11 forwarding is disabled by default.
<p>
<li>OpenSSH 2.3.1, a development snapshot which was never released, was
    vulnerable to
    "Feb 8, 2001: Authentication By-Pass Vulnerability in OpenSSH-2.3.1",
    <a href="http://www.openbsd.org/advisories/ssh_bypass.txt">OpenBSD
    Security Advisory</a>.  
    In protocol 2, authentication could be bypassed if public key
    authentication was permitted. This problem does exist only
    in OpenSSH 2.3.1, a three week internal development release.
    OpenSSH 2.3.0 and versions newer than 2.3.1 are not vulnerable to
    this problem.
<p>
<li>OpenSSH 2.3.0 and newer do not allow
    <a href="http://www.kb.cert.org/vuls/id/363181">
    malicious servers to access the client's X11 display or ssh-agent</a>.
    This problem has been fixed in OpenSSH 2.3.0.
<p>
<li>OpenSSH 2.3.0 and newer are not vulnerable to the
    "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability",
    <a href="http://razor.bindview.com/publish/advisories/adv_ssh1crc.html">RAZOR Bindview Advisory CAN-2001-0144</a>.  
    A buffer overflow in the CRC32 compensation attack detector can
    lead to remote root access.  This problem has been fixed in
    OpenSSH 2.3.0.  However, versions prior to 2.3.0 are vulnerable.
<p>
<li>OpenSSH 2.2.0 and newer are not vulnerable to the
    "Feb 7, 2001: SSH-1 Session Key Recovery Vulnerability",
    CORE-SDI Advisory CORE-20010116.  OpenSSH imposes limits on the
    connection rate, making the attack unfeasible.  Additionally, the
    Bleichenbacher oracle has been closed completely since January 29,
    2001.
<p>
<li>OpenSSH 2.1.1 and newer do not allow a remote attacker to
    <a href="http://www.kb.cert.org/vuls/id/40327">
    execute arbitrary commands with the privileges of sshd if UseLogin</a>
    is enabled by the administrator. UseLogin is disabled by default.
    This problem has been fixed in OpenSSH 2.1.1.
<p>
<li>OpenSSH was never vulnerable to the
    "Feb 5, 2001: SSH-1 Brute Force Password Vulnerability",
    <a href="http://www.crimelabs.net/">Crimelabs Security Note CLABS200101</a>.
<p>
<li>OpenSSH was not vulnerable to the RC4 cipher
    <a href="http://www.kb.cert.org/vuls/id/565052">password cracking</a>,
    <a href="http://www.kb.cert.org/vuls/id/665372">replay</a>, or
    <a href="http://www.kb.cert.org/vuls/id/25309">modification</a>
    attacks.  At the time that OpenSSH was started, it was already known
    that SSH 1 used the RC4 stream cipher completely incorrectly, and
    thus RC4 support was removed.
<p>
<li>OpenSSH was not vulnerable to
    <a href="http://www.kb.cert.org/vuls/id/684820">client forwarding attacks</a>
    in unencrypted connections, since unencrypted connection support was
    removed at OpenSSH project start.
<p>
<li>OpenSSH was not vulnerable to IDEA-encryption algorithm
    <a href="http://www.kb.cert.org/vuls/id/315308">attacks on the last packet</a>,
    since the IDEA algorithm is not supported.  The patent status of IDEA makes
    it unsuitable for inclusion in OpenSSH.
<p>
<li>OpenSSH does not treat localhost as exempt from host key checking,
    thus making it not vulnerable to the
    <a href="http://www.kb.cert.org/vuls/id/786900">host key authentication bypass</a>
    attack.
<p>
<li>OpenSSH was not vulnerable to
    <a href="http://www.kb.cert.org/vuls/id/118892">uncontrollable X11 forwarding</a>
    attacks because X11-forwarding is disabled by default and the user can
    de-permit it.
<p>
<li>OpenSSH has the SSH 1 protocol deficiency that might make an insertion attack
    difficult but possible.  The CORE-SDI
    <a href="http://www2.corest.com/common/showdoc.php?idx=131&amp;idxseccion=10">deattack mechanism</a>
    is used to eliminate
    the common case. Ways of solving this problem are being investigated, since
    the SSH 1 protocol is not dead yet.
</ul>

<hr>
<a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt="OpenSSH"></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: security.html,v 1.38 2008/07/22 00:09:23 djm Exp $</small>

</body>
</html>
